Identity

Identitypresented by

Patrick Burke and Christian Loza

Introduction

The Internet has changed the way we do business forever.

In the cyberspace, our Identity has changed too, and a Digital Identity has emerged.

Identity can be defined as a set of characteristics that uniquely identifies us (or a digital entity)[1].

Introduction

CONCEPTS Identity: Set of characteristics that identifies a

given entity. Identification: Recognizing someone as a

specific individual. Authentication: Process to make sure the

Identification is valid. Authorization: Set of resources given to a

certain entity, based on the identity.

Introduction

In the physical world, users can be identified by physical characteristics, such as hair color, height, skin color, etc.

In the Internet, users are identified by set’s of information, such as SSN, Name, Credit Card number, Address, Phone number, etc.

Introduction

Most of the services has gone to the Internet Electronic Commerce Electronic Government Electronic Learning Electronic Marketing Electronic Publishing

Introduction

To interact in the Internet with this service providers, the people use their Digital Identity.

Introduction

One of the drawbacks from human centric electronic interactions is the fuziness of the image of the other partner over the network

?

Introduction

Ensuring security and privacy in a distributed communication system as the Internet is crucial.

Crimes related to Identity theft have become a major treat to the growth of the commerce over the Internet.

Introduction

Identity-related misuse and concerns[2]

Identity theft: Someone wrongfully obtains and uses other person’s personal data in some way that involves fraud or deception[3].

Malicious change of Information: Someone changes wrongfully personal information of somebody else or to himself to do harm or self benefit.

Secondary use: Somebody impersonates someone else for personal benefit.

And the list keeps growing

Federated IdentitySome facts

Below are some institutions and people believed to be victim’s of Identity theft.

Bill Gates CIA, NASA, Justice Department Wells Fargo Bank of America Ebay UNT?

Problem Definition

The Identity has bring more complexity to the business model

Any person may be using now multiple identities to access multiple services providers on the Internet

Multiples identities mean also redundant costs and increasing problems

Problem Definition

One of the technologies that has emerged to solve the increasing complexity of Identity management across multiple organization is the Federated Identity

Problem Definition

Federated Identity is a digital credential analogous to a country passport[4]

Trust negotiation model: Is the gradual interchange of credentials between two entities, with the goal to establish Trust, and finally exchanging resources

Our task is to review proposals of designs of an efficient scheme of such Federation interchange

Problem Definition

Different sets of information from the Identity may be needed by different organizations

Federated Identity

A

NameAddressPhone NumberPO BoxSSN

B

NameAddressPhone NumberPO BoxSSNCredit CardBilling Address

C

NameAddressPhone NumberPO BoxSSNCredit CardPassport Number

A

NameAddressPhone NumberPO BoxSSN

B

Credit CardBilling Address

C

Passport Number

Federated IdentityCredentials negotiation

Disclosure policies Credentials combinations are required for

disclosure of sensitive information Negotiation between User and Service

Providers, and among Service Providers.

Federated IdentityScalability

KEY CONCEPTS for Scalability of Federated Identity

Has to work with Browser as the client side software

Centralized Approach Identity or Capability-based credentials

Federated IdentityScalability

Federated IdentityPrivilege management

Both, Federated Identity and Privilege Management are cornerstones of a Management Framework

A mechanism for Federated Identity and Privilege Management should satisfy at least eight requirements:

Federated IdentityRequirements

1. SSO Single sign onPersistency of user identity across the enterprise domains, and allows user to transfer their authorizations across multiple points of policy enforcement

2. Effective access controlThe access control should be fine grained to dynamically evolve enterprise resources.


3. Decentralized modelThe system should not rely on a centralized access point, instead, should be distributed

4. Authentication for estrangersIn the new distributed Internet environment, there is no more the concept of advanced knowledge of identities or capabilities.


5. Trust, Anatomy and PrivacyPrivacy protection is becoming an increasing concern, both from social and legal perspective. Is a compromise, since avoiding name-binding, complicates trust establishment.

6. Standardized ApproachThe solution should has the capability to be integrated with other systems, using existing accepted standards.


7. Browser BasedNobody wants to install client side applications

8. Technologies issuesCookies and JavaScript are been used. Nevertheless, they have been proved to be a security problem, even though, they are better than the other options

Federated IdentityIdeal Scheme

1. Request page2. Auto redirect

3. Redirect

4. Request credentials

5. Login

6. Redirect w/tickets in header

7. Request pagew/credentials

8. Set ticket

Federated IdentityExamples

MSN Passport Developed by Microsoft

Kerberos Developed by MIT

X.509 Network Working Group Certificate Management Protocol

RBAC Research Proposal

Federated IdentityMSN Passport


3. Redirect


5. Login & passport

6. Redirect w/tokens in header


8. Set cookie


Centralized Model Credentials and no Tickets Used to authenticate users of Hotmail and

MSN Messenger. Other users include Zurich, GMAC

The biggest Federated Identity system is Passport, from Microsoft


Process 3.5 billion authentications each month Uses XML as the core Uses SSL The Passport requires triple DES keys with

each organization. The keys must be generated securely, and

given to the merchants out of band. Some keys were broken because the poor

randomness of the keys generated

Federated IdentityMSN Passport - Problems

Centralized point of attack, against the distributed nature of Internet. Vulnerable to DoS attacks

Due to the cookies architecture, a Service can impersonate MSN Passport and delete all the cookies in the clients (used to DoS attacks).

JavaScript and cookies technologies have been proved to be insecure technologies.

Federated IdentityMSN Passport - Problems

Bugs have a great Impact MSN found problems many times, bringing down

all services depending on Passport One example was a failure on the Password

resetting mechanism

Federated IdentityKerberos


3. Redirect


5. Login



8. Set ticket

Symmetric

Federated IdentityKerberos

Developed by MIT’s project Athena Allow mutual authentication and secure

communications over the network Uses symmetric key encryption, and

authentication credentials Authentication credentials are based on

identity, and are suited for access control lists. Main problem for Identity Management are centralization, and name biding.

Federated IdentityKerberos - Problems

Kerberos is Identity Based, which gives problems for scalability. Key concept: avoid name-binding

Suitable for access roles. Nevertheless, symmetric keys are not suited for Federations and Distributed Identity Management

Federated IdentityX.509


3. Redirect


5. Login


7. Request pagew/access privileges

8. Set privileges

3. RedirectAsymmetric

Federated IdentityX.509

X.509 is a Certificate Scheme for Authentication

Based on Public Key Infrastructure (PKI) The Access Control Credential is called

Attribute Certificate Asymmetric authentication Integrated approach of Authentication and

Authorization

Federated IdentityX.509 Problems

Integrated approach of Authentication and Authorization, which is, not good in all contexts.

This is because not all the system-specific capabilities may be know in advance.

Access control credentials is not sufficient to meet effective Access Control requirements. Key concept: Not Scalable

IdentityRole-Based Access Control (RBAC)

Current Enterprise solutions employ a combination of physical security, passwords, and Role-based Access Control to ensure the identity of a user

Physical security and passwords protect the system from intrusion.

Role-based Access Control limits access to documents and data based on a “need to know” basis

IdentityRole-Based Access Control (RBAC)

Access rules are established with sets of access pairs which associate users and their corresponding permissions:

(user, permissions)

While RBAC is supported by many specific application packages (Oracle and Sybase, for example), the method will be described with a brief look at XML

Federated IdentityXML Public Protocols

SAML (Security Assertion Markup Protocol) XML based Avoid limitations of cookies SSO Interoperability: Different implementations

can be compatible Web Services: Suited to work on browser

environments Federations: Can simplify Federation usability

Federated IdentityXML-Based Doc Security

X-Sec [5] is one notional XML-Based control system with the following component:

Credential-types (ct) – defined user type definitions Example: manager, customer, carrier (nct, Pct) where n is the name of the credential and P is

the set of property specifications for the ct.

XML credential-type and corresponding graph representation [5]

XML-Based Doc Security

X-Sec Components (cont) Credential – an instantiation of a credential-type

Specifies the set of properties values characterizing a given subject against the credential-type itself

Physical credentials are certified by the credential issuer

XML credential and corresponding graph representation [5]


X-Sec Components (cont) Security Policy Base Template – Specifies

credential-based security policies based on enterprise protection requirements Documents to which the policy applies Portions of documents within target documents Access Modes Propagation mode for the policy


X-Sec Components (cont) Security Policy Base Instantiation Example (below)

Secretaries in sales can access and modify all purchase order documents

UPS employees can access information about the customer, carrier, and order id.

XML-Based Doc SecurityAssessment

PRO:

Highly available in commercial products

Easy to set up

Training is readily available

Highly effective in a CLOSED and TRUSTED environment

CON:

Often difficult to REMOVE users

Impractical in an open user environment

Not a long-term Internet solution

Passwords can be stolen, resulting in unauthorized access

Periodic password changes make remembering passwords difficult

Left to their own devices, people tend to choose passwords that are easy to guess

Biometrics

DEFINITION Any and all of a variety of identification techniques which

are based on some physical, or behavioral characteristics of the individual contrasted with the larger population. Unique digital identifiers are created from the measurement of this characteristic.

Physiological Biometrics Fingerprints, hand and/or finger geometry, eye (retina or iris),

face, and wrist (vein) Behavioral Biometrics

Voice, signature, typing behavior, and pointing

Biometrics

OVERVIEW User digital template is created during an

“enrollment period” and stored in a database On attempted verification, the relevant template

is extracted, compared with the data input ATM card is still required to point at the correct

digital template Verification is based on statistical techniques of

comparison between the two

Biometrics

Some devices to use Biometrics

Benchmarks

The eight points can be used to measure if an Identity Management Protocol is suited for scalability and Federated use.

Browser features can be used as a metric: Use of cookies, use of JavaScript, use of XML

BiometricsBenchmarks

BENCHMARKS for Biometrics Template size Speed of enrollment False Accept Rate False Reject Rate

BiometricsBenchmarks

PRO When it works, it works best

Generally acceptable in controlled group settings

ASSESSMENT

CON Bad user perceptions

May be misused May harm eyes

Input quality degrades with age

Unacceptable False Reject Rates

17% - facial 10% - finger swipe

Conclusions

Identity is a key issue on Next Generation Internet

Any new or already proposed scheme for Identity Management should address the eight points exposed at least

All the Identity Management should work with a Browser in the client side

Conclusions (cont)

Identity Management paradigms that ensure “you are you,” as opposed to “you are who you say you are” are absolutely critical to the future of e-commerce and electronic information sharing

Federal Identity can only be successful if the services are decentralized

Not an easy task

Conclusions (cont)

Access control systems will continue to provide enterprise solutions for controlled areas for the foreseeable future

Biometrics appears to be the only real solution on the horizon, but it is not yet reliable enough for use in the general world population.

Sources

Images and icons from http://www.kde-look.org

Icons from CISCO SYSTEMS http://www.cisco.com/warp/public/503/2.html#pkt

Photo on slide 7, from Wikipedia, http://en.wikipedia.org/wiki/Kevin_mitnik

http://www.kde-look.org/

http://www.cisco.com/warp/public/503/2.html#pkt

http://en.wikipedia.org/wiki/Kevin_mitnik

References

1. Toby Baier, Christian Zirpins, Winfried Lamersdorf, “Digital Identity: How to be someone on the Net”

2. Peter G. Neumann, “Identity-Related misuse”, Communications of the ACM.

3. US Department of Justice (USDOJ). (2000, June). “Identity theft and fraud”. Retrieved July 1, 2004, from the World Wide Web: http://www.usdoj.gov/criminal/fraud/idtheft.html

4. E. Bertino, A.Bhargav-Spantzel, A.C.Squicciarini, “Digital Identity Management and Trust Negotiation”, CERIAS, Purdue University, University of Milan, Milan, Italy

http://www.usdoj.gov/criminal/fraud/idtheft.html

References

5. E. Bertino, S. Castano, E. Ferrari. “On Specifying Security Policies for Web Documents with an XML-based Language, SACMAT’01, May 3-4, 2001, Chantilly, Virginia

6. L. Coventry, A. DeAngeli, G. Johnson. “Usability and Biometric Verification at the ATM Interface”. CHI 2003, April 5-10, 2003, Fort Lauderdale, FL.

Identity

Documents

Transcript of Identity